A hacktivist group has claimed to have leaked CrowdStrike’s entire internal threat actor list, including indicators of compromise (IoC).
CrowdStrike acknowledged the claims by the USDoD threat actor in a blog post on July 25, 2024. The firm noted that USDoD provided a link to download the alleged threat actor list and provided a sample of data fields on the notorious BreachForums cybercrime forum.
The claims come in the wake of the global IT outage on July 19 caused by a bug in a content update for the CrowdStrike Falcon platform. The bug prevented affected systems from booting correctly, disrupting critical sectors such as airlines, banks, media and healthcare.
Threat Intel Data Claims
CrowdStrike said that sample data released by USDoD contained detailed internal intelligence on threat actors. This included:
- Adversary aliases
- Adversary status
- Last active dates for each adversary
- Region/country of adversary origin
- Number of targeted industries
- Number of targeted countries
- Threat actor type and motivation
The firm observed that the adversary alias field contained the same aliases as the Falcon platform but listed in a different order.
CrowdStrike said that the threat intelligence data is available to tens of thousands of its approved customers, partners and prospects, as well as hundreds of thousands of users but is not avalaible publicly.
The sample leak contained data with “LastActive” dates until no later than June 2024, however the Falcon portal’s last active dates for some of the referenced actors are as recent as July 2024, suggesting the data was obtained very recently.
USDoD also alleged that it had obtained CrowdStrike’s entire IOC list and would release it soon. IOCs are used by cybersecurity professionals to determine a hacker’s methods in an attack.
Additionally, CrowdStrike noted that the hacktivist group claimed in their post to have “two big dbs from a oil company and a pharmacy industry (not from USA).” It is unclear whether this claim is separate from the alleged leak of CrowdStrike data.
Security researchers vx-underground highlighted USDoD’s BreachForums post on X (formerly Twitter).
They said they had spoken with USDoD, who told them they programmatically abused CrowdStrike endpoints to pull IOCs from the company, with the scraping operation taking around a month.
“The time the scrape operation completed it just so happened by chance to coincide with the recent CrowdStrike scandel – they've got bad luck it seems,” said vx-underground.
Regarding the recent so-called 'CrowdStrike' breach which was posted on BreachForum: this is not a data breach.
— vx-underground (@vxunderground) July 25, 2024
The individual responsible for the information ....disclosure, ...leak (?), operating under the moniker USDoD, openly states the data is scraped. Not sure why it's… pic.twitter.com/zL0JXmY6e0
In a statement sent to Infosecurity, CrowdStrike emphasized that if the attackers' claims are correct, it does not constitute a breach.
"There is no CrowdStrike breach. This threat intel data is available to tens of thousands of customers, partners and prospects," the firm stated.
Hacktivist Group USDoD Explained
CrowdStrike said USDoD has operated since at least 2020, conducting both hacktivism and financially motivated breaches. In the past two years, the group has focused on high-profile targeted intrusion campaigns.
Since January 2024, the threat actor has sought to diversify and expand their cyber activities from solely conducting cyber operations into administering eCrime forums.
In September 2023, USDoD claimed to have stolen personal data from credit agency TransUnion, and in the same month claimed a data breach at Airbus.
It primarily uses social-engineering tactics to access sensitive data.
Read now: Threat Actors Weaponize Hacktivism for Financial Gain
CrowdStrike noted that USDoD has previously exaggerated claims, likely in an attempt to enhance their reputation within both hacktivist and eCrime communities.